Help with making a SHA >1 certificate

Help with making a SHA >1 certificate

Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation.

I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem).

My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate?

Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation.

I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem).

My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate?

Re: Help with making a SHA >1 certificate

Both the validity and the hash in the certificate are decided by the
"ca" command, which you didn't tell about wanting sha512 and 10 years.

sha512 on req determines only the hash used by the requestor to prove
he has the private key and sign the name etc. *suggested* to the ca.

-days on req when generating a request does noting, and should perhaps
produce a warning, since this option is only meaningful when used with
the -x509 option to produce a self-signed cert instead of a request.

Re: Help with making a SHA >1 certificate

➢ -days on req when generating a request does noting, and should perhaps
produce a warning, since this option is only meaningful when used with
the -x509 option to produce a self-signed cert instead of a request.